AutoCAD Exchange

August 21, 2012

New Security Controls in AutoCAD 2013 SP1 Help Combat Malware

Over the last few years there has been an increasing number of malware attacks on AutoCAD. These attacks typically leverage the legacy autoloading process of the stock customization files (acad.lsp, acad.dvb, etc.) that come with AutoCAD. Modified versions of these files end up getting automatically loaded into AutoCAD and can cause data loss, corruption, and general annoyance. Here is a typical scenario…

A customer receives a ZIP file containing a variety of files including drawings, fonts, and a modified version of a stock customization file such as acad.lsp. The customer unzips that archive to a folder and double-clicks on one of the drawings to launch it. Launching the drawing this way makes that folder the current working directory–check DWGPREFIX to see for yourself–and because the current folder contains an acad.lsp file, it gets loaded automatically and begins doing whatever malicious tasks it was modified to do. To make matters worse, that file might be flagged as hidden so the customer may not even know that it's in the zip file.

Restrict autoloading of default customization to a specified location ONLY.

Disable autoloading of default customization files.

Disable the ability to load any AutoLISP file, automatically or manually.

Note: These same controls will also be added to AutoCAD 2013 for Mac and AutoCAD 2013-based verticals when their respective service packs are released. AutoCAD LT does not run AutoLISP or VBA applications and does not require these security measures.

AUTOLOADPATH system variable

The AUTOLOADPATH system variable controls the folders from which AutoCAD automatically loads the following AutoLISP and VBA files:

acad.lsp

acad.fas

acad.vlx

acaddoc.lsp

acaddoc.fas

acaddoc.vlx

acad.dvb

The default value of AUTOLOADPATH is the empty string ("") or period (.) which is legacy autoloading behavior so you'll want to change this to the unique folder where your authorized applications are located.

AUTOLOAD system variable

The AUTOLOAD system variable–no relation to the (autoload) AutoLISP function–controls whether the default AutoLISP applications and acad.dvb are automatically loaded at startup. When set to 0 it prevents those previously listed customization files from automatically loading.

/nolisp Startup Switch

A new /nolisp switch can be added to the shortcut properties of your AutoCAD icon to disable the loading of all AutoLISP applications in the current AutoCAD session, including all LSP, FAS, and VLX files (I haven't check it myself but I presume this affects MNL files as well). If your system has already been infected, this switch can help you limit the impact of the malware by stopping all AutoLISP from being loaded, either automatically or manually using APPLOAD, drag-n-drop, or the (load) function.

A new LISPENABLED system variable reports whether AutoLISP is enabled in the current AutoCAD session. If LISPENABLED is 0, AutoLISP has been disabled by the /nolisp startup switch.

Note: Disabling AutoLISP also prevents the Express Tools and some AutoCAD command tools from functioning and should only be used in emergency situations.

Other changes include:

The acad2013.lsp and acad2013doc.lsp files will now be loaded only from their default installation folders.

The "Load acad.lsp with every drawing" checkbox on the System tab of the Options dialog box (ACADLSPASDOC system variable) will be disabled when AUTOLOAD or LISPENABLED has a value of 0.